Technical Specification ● MISRA C++ and AUTOSAR ● Chair of Standards Council Canada TC22/SC32 Electrical and electronic components (SOTIF) ● Chair of UL4600 Object Tracking ● RISC-V Datacenter/Cloud Computing You can’t have them. Agenda 1. Current status of C++ safety: MISRA and C++ CG 2. Parallel Safety rules 3. Automotive Safety case Safety Critical API Evolution minimize API surface area , reduce ambiguity SAE ORAD • UL4600 • RISC-V Safety/Security • Misra: checkable rules only • Autosar C++ Guidelines: a mix of meta guidelines and checkable rules • High Integrity C++: for static checkers • WG23 Programming

- CppCon 2021 Modules demystified and applied A (SHORT) TOUR OF C++ MODULES 2ABOUT ME Electrical engineer Build computers and create software for 40 years Develop hardware and software in the // must not "expose" TU-local 'bar()'! 1 2 3 4 5 6 7 8 31 . 7FROM HEADER TO MODULE A reality check 32USAGE SCENARIOS 1. Use {fmt} in traditional way by #including the required {fmt} headers 2. As ) clang only MSBuild (by Microsoft, since msvc16.8, ) msvc only make bring your own build rules, f.e. like Bloomberg's more ? build2.org GitHub Visual Studio P2473 36RESOURCES Papers

Technical Specification ● MISRA C++ and AUTOSAR ● Chair of Standards Council Canada TC22/SC32 Electrical and electronic components (SOTIF) ● Chair of UL4600 Object Tracking ● RISC-V Datacenter/Cloud scope = DefaultScope) const noexcept; //... };} ● memory_order ○ Why no default? ■ C++ seq_cst rules out lots of devices ■ Least common denominator relaxed leads to surprises when migrating existing constraints ○ work_item, sub_group, work_group, device, system ○ Why no default? ■ Safest system rules out lots of devices ■ Least common denominator work_group leads to surprises when migrating

voltage20 Consider the output pin Microcontroller Pin resistor HIGH = ~3.3V time voltage electrical currentclass output_pin { public: virtual ~output_pin() = default; virtual void level(bool statusstatus toggle_led(output_pin& p_pin, milliseconds p_delay) { SJ_CHECK(p_pin.level(true)); delay(p_delay / 2); SJ_CHECK(p_pin.level(false)); delay(p_delay / 2); return success(); } SJ_CHECK(pin1.level()) << 1 | SJ_CHECK(pin1.level()); auto const voltage = SJ_CHECK(v_sense[device_select].read());MACROs were OK, but noisy 44 std::uint8_t const device_select = SJ_CHECK(pin1

at Paws of Britannia with your favorite search engine • I used to write software for industrial electrical breakers and military flight simulators • CAE Electronics Ltd, IREQ • Full-time professor since at Paws of Britannia with your favorite search engine • I used to write software for industrial electrical breakers and military flight simulators • CAE Electronics Ltd, IREQ • Full-time professor since

R0 B0 B1 B2 B3 BG3 • Multiple bank groups for a rank • A rank is just a CS line from the electrical domain perspective • It is part of addressing scheme tooR1 Memory 36 B0 B1 B2 B3 BG0 B0 R0 B0 B1 B2 B3 BG3 • Multiple bank groups for a rank • A rank is just a CS line from the electrical domain perspective • It is part of addressing scheme too • Multiple ranks physically equal

Country is “Rich” Older Hardware • As TIME has progressed, Techology has improved to make SMALLER electrical components. • Meaning that it takes LESS POWER To do the SAME tasks as before. 2• It may also

BOTRobotics Hardware Development • Requirements known well ahead of time • Mechanical and electrical designs are locked-in years in advance • Production robots probably won’t grow limbs or

scale • Requires judicious programming techniques • Supported by libraries • Enforced by language rules and static analysis • The basic model for achieving that can be found in A brief introduction to C++'s through a pointer is not through the nullptr (often a run-time check) • Every access through a subscripted pointer is in-range (often a run-time check) • That • Implies range checking and elimination of dangling the dawn of time • The rules are more deduced than invented Stroustrup - C++ safety -CppCon - October 2023 8 Enforcement rules are mutually dependent. Don’t judge individual rules in isolationConstraints

e1 and e2 } How can I check the cache worked? There is a bug in Clone Did you see the space?Another Issue CHECK(LOG_GET() == nullptr); Expr* e2 = parseExpr("1 + 2"); CHECK(LOG_GET() == "Cache hit test") { Expr* e1 = parseExpr("1 + 2"); Expr* e2 = parseExpr("1 + 2 "); // TODO：check the cache worked }Error Code VS Check Log int foo() { if (error1_occurred) { return 1; } if (error2_occurred) { return implementation return true; }Error Code VS Check Log There are some benefits for checking the log data • No need to change the API • No need to maintain the Error Code • Can check detailed information for a log